Cyber risks are considered a serious threat to business by most boards, but mitigation practices and cyber supply chains are not meeting necessary standards says Willis

A disparity between the acceptance and mitigation of cyber risks is apparent at many large firms according to Willis FINEX National practice leader, Jonathan Brooks.

A report by the UK Department for Business, Innovation & Skills last month revealed only 14% of FTSE 350 firms regularly consider cyber threats, with a significant number not receiving any intelligence about cyber criminals.

However, 62% of companies think board members are taking cyber risks very seriously and 60% understand what their key information and data assets are.

Speaking after the launch of Willis’s Cyber ATLAS toolkit, Brooks said he believed firms must be more proactive about their cyber security and engage the entire organisation to become more familiar with IT security.

He said: “It is no longer sufficient for the organisation’s leadership to simply evidence that they have an incident response and business continuity plan.

“They also need to demonstrate that they and their employees understand the cyber exposures facing the company and the main types of cyber threat; they need to implement appropriate technical, organisational and physical cyber security measures and have appointed a competent external incident response team.”

Cyber security doesn’t stop at the building walls either as cyber criminals often target the IT network and vulnerabilities of small companies to get into the network of a multinational firm, according to Brooks.

However, he said most small firms did not have the resources to buy expensive cyber security solutions leaving the entire supply chain at risk.

In a bid to plug a gap in the market, Willis launched Cyber ATLAS, which it said aimed to improve cyber security and IT skills throughout the business and its suppliers by providing e-learning, online self-audits and a 24/7 incident response service in the event of a cyber breach.  

Brooks said: “We knew that very few companies within the insurance industry deal with educating their clients on preventative measures, but what we didn’t appreciate was the sheer lack of solutions available for small businesses.

“Quite simply, they were either far too expensive for a small business or took weeks or even months to complete.”